Prepared for external CTO validation

LUUP One
Architecture Pack

A CTO-ready architecture reference for validating the LUUP One build across platform structure, system context, containers, components, data relationships, security, permissions, financial controls, webhooks, automation, AI services, and operational readiness.

This pack explains how LUUP One should be structured as a multi-tenant customer commerce platform connecting merchants, customers, ambassadors, creators, missions, referrals, attribution, commissions, wallets, payouts, admin operations, automations, AI services, and external integrations.

Section 101

Overview

This architecture pack defines LUUP One as a practical multi-tenant customer commerce platform. It is designed to help an external CTO validate whether the build has the right technical foundations for merchants, ambassadors, customers, missions, referrals, attribution, commissions, wallets, payouts, admin controls, automations, integrations, AI services, and security.

Scope

What this pack covers

How LUUP One sits in the wider ecosystem
Which users and external systems interact with the platform
The expected Lovable, Supabase, GitHub, n8n, and AI services architecture
How the main application containers fit together
How backend components should be organised
How the data model should support merchants, ecosystems, referrals, commissions, wallets, and payouts
How roles, permissions, and tenant isolation should work
How financial events, webhooks, files, and audit logs should be secured
What the external CTO should validate before beta, paid merchants, and scale

Critical

Core validation question

Is LUUP One built as a real multi-tenant SaaS platform, or is it a high-fidelity prototype that needs a production-grade backend?

Section 202

Build Architecture Assumption

This architecture pack assumes LUUP One is being built using a modern Lovable and Supabase-based application architecture. The CTO should validate whether the actual implementation follows this structure and whether the handoff from AI-generated build to professional engineering process has been handled correctly.

Architecture chain

Lovable / React / Vite Frontend

Supabase Auth

Supabase PostgreSQL Database

Supabase Storage

Supabase Edge Functions

n8n Automation Layer

External Services and AI APIs

Expected technical stack

Frontend

Lovable / React / Vite

Version Control

GitHub

Authentication

Supabase Auth

Backend Database

Supabase PostgreSQL

Business Logic

Supabase Edge Functions

Storage

Supabase Storage

Automation Layer

n8n

AI Services

OpenAI, Anthropic, Gemini, or equivalent

External Services

Stripe, PayPal, Everflow, Shopify, email providers, analytics, logging, and other connected services

CTO note

The robustness of the application does not come from AI-generated code alone. It comes from the use of standard technologies, source-code ownership, PostgreSQL as the database foundation, proper security controls, scalable infrastructure options, and engineering review processes.

What the CTO should confirm

The Lovable frontend is connected to a real Supabase backend
The source code is connected to GitHub and owned by LUUP
Supabase Auth is used properly for user identity and session management
PostgreSQL is being used as the database foundation
Row Level Security is enabled and tested
Business logic is handled through backend functions, not only frontend code
Supabase Storage is configured with private buckets where needed
Edge Functions are used for sensitive operations
n8n is used only for appropriate automations, not critical financial logic without controls
External API keys are stored securely
AI services are called from secure backend functions, not directly from the frontend
Production and staging environments are separated
The app can be maintained by engineers outside Lovable

Boundary for n8n

n8n is appropriate for automations, notifications, enrichment, internal workflows, and operational processes. It should not be the core place for wallet logic, commission calculations, payouts, tenant security, or critical financial decisions unless strong controls, logs, and backend validation exist around it.

Section 303

C4 Architecture Model

The C4 model breaks the architecture into clear levels so the CTO can move from a high-level system view into the technical containers and backend components.

Level 1

System Context

Shows where LUUP One sits in the world, who uses it, and which external systems it depends on.

Level 2

Container Architecture

Shows the major technical blocks that make up LUUP One, including frontend applications, Supabase Auth, Supabase PostgreSQL, Supabase Storage, Edge Functions, webhook processing, commission engine, wallet ledger, n8n automation layer, AI services, notifications, and reporting.

Level 3

Component Architecture

Shows how the backend should be organised into services such as user, tenant, merchant, mission, referral, attribution, commission, wallet, payout, billing, admin, audit, notification, automation, and AI orchestration services.

Level 4

Code-Level Detail

Only needed later by the development team. This review pack focuses on Levels 1 to 3.

For the external CTO review, Levels 1 to 3 are enough to assess whether the build has the right architectural foundations.

Section 404

C4 Level 1: System Context

This shows where LUUP One sits in the world, who uses it, and what external systems it depends on.

Mermaid diagramSystem Context

Platform

LUUP One Platform

LUUP One Platform is the central system that allows merchants to launch customer, creator, affiliate, and ambassador-led growth campaigns.

Platform users

Luup Admin Team

Manages merchants, platform settings, payouts, fraud reviews, system configuration, and support.

Merchant / Brand Team

Creates missions, manages products, funds wallets, approves submissions, tracks sales, and reviews performance.

Ambassador / Creator / Customer Advocate

Joins ecosystems, completes missions, generates referral sales, earns commissions, and requests payouts.

End Customer

Purchases products through ambassador links, storefronts, referral codes, or campaign journeys.

External systems

Stripe

Used for subscriptions, merchant billing, wallet top-ups, and possibly payout rails.

PayPal

Used for user payout options.

Bank Transfer Process

Used for manual or semi-manual top-ups and payouts.

Everflow

Used for affiliate attribution, click tracking, conversion tracking, and performance reporting.

Shopify / Commerce Store

Used for product catalogues, orders, checkout, and purchase events.

Email / Notifications Provider

Used for transactional emails, mission updates, payout notifications, and onboarding.

Supabase Storage

Used for avatars, mission proofs, screenshots, UGC files, campaign assets, product images, and merchant logos.

Analytics / Logging

Used for platform monitoring, audit trails, error tracking, and performance analysis.

n8n Automation Layer

Used for non-critical automations, internal workflows, notifications, enrichment, operational processes, and integrations where appropriate.

AI Services

Used for AI-enabled workflows through backend-controlled calls to OpenAI, Anthropic, Gemini, or equivalent providers.

Section 505

C4 Level 2: Container Diagram

This shows the major technical blocks that make up LUUP One.

Mermaid diagramContainer Diagram

Lovable React / Vite Frontend

The frontend application generated through Lovable and built on a modern React / Vite architecture. It includes the main user-facing application for ambassadors, customers, creators, and advocates.

Includes

Mission discovery
Ecosystem joining
Profile setup
Referral links
Storefronts
Wallet view
Earnings tracking
Payout requests
Leaderboards
Badges and gamification

GitHub

The source-code repository and version-control layer.

CTO should confirm

The project is connected to GitHub
LUUP owns the repository
Changes can be reviewed through pull requests
Engineers can work on the codebase outside Lovable
Deployment and rollback practices are clear

Merchant Dashboard

The brand-facing control centre.

Includes

Merchant onboarding
Plan selection
Billing card setup
Wallet top-up
Mission creation
Product management
Submission review
Ambassador management
Campaign analytics
Revenue and ROI reporting
Team member management

Admin Dashboard

The internal Luup control panel.

Includes

Merchant management
User management
Platform fee configuration
Commission rules
Payout reviews
Manual adjustments
Fraud flags
White-label settings
Audit logs
System-wide reporting

Supabase Edge Functions / Backend APIs

The main application logic layer.

Responsible for

Authentication checks
Role checks
Tenant scoping
Mission logic
Referral logic
Commission calculations
Wallet transactions
Payout requests
Merchant settings
Admin actions
Data validation
Secure external API calls
AI service calls
Webhook processing support
API responses

Sensitive business logic should be handled through backend functions or database-level controls, not only in frontend code.

Supabase Auth

Signup
Login
Password reset
Email verification
Session management
Role assignment
OAuth, if used
Multi-factor authentication, if introduced later

Supabase PostgreSQL

Stores

Users
Merchants
Brands
Ecosystems
Missions
Submissions
Products
Referral links
Clicks
Orders
Commission rules
Commissions
Wallets
Wallet transactions
Payouts
Billing records
Audit logs

PostgreSQL should be treated as the database foundation for scalable relational modelling, tenant isolation, financial traceability, and auditability.

Supabase Storage

Stores

User avatars
Merchant logos
Mission images
Product images
Screenshot proofs
Uploaded UGC
Campaign files

Files should be stored in private buckets with signed URLs where needed.

Webhook Processor

Receives external events from

Stripe
PayPal
Everflow
Shopify

Examples

Payment succeeded
Subscription created
Order created
Order refunded
Conversion tracked
Payout failed
Wallet top-up completed

The webhook processor should verify signatures, store raw events, apply idempotency, and safely retry failed processing.

Commission Engine

Calculates

Tier 1 commission
Tier 2 commission
Tier 3 commission
Tier 4 commission
Mission rewards
Referral rewards
Platform fees
Refund clawbacks
Pending versus cleared commissions

Default LUUP 4-tier model

20%

Configurable per merchant, campaign, or ecosystem.

Wallet Ledger Service

Tracks all money movements.

This should not be a simple balance field.

Ledger entries for

Pending commission
Approved commission
Cleared balance
Withdrawal request
Withdrawal fee
Payout completed
Payout failed
Refund reversal
Manual adjustment
Merchant wallet top-up
Merchant spend
Platform fee deduction

n8n Automation Layer

Used for non-critical automations, internal workflows, notification routing, enrichment, operational processes, and integrations where appropriate.

Suitable uses

Internal alerts
Admin notifications
CRM sync
Email workflows
Data enrichment
Scheduled checks
Operational handoffs
Non-critical integration glue

n8n should not be the primary source of truth for commissions, wallets, payouts, tenant security, or critical financial logic unless it is backed by backend validation, audit logs, idempotency, and clear operational controls.

AI Orchestration Layer

Controls secure AI service calls through backend functions.

Used for

AI-assisted mission creation
Content suggestions
Campaign recommendations
Support workflows
Data enrichment
Admin productivity tools

AI service calls should be made through secure backend-controlled functions. API keys must not be exposed in the frontend.

Notification Service

Sends

Mission updates
Submission approvals
Submission rejections
Payout updates
Wallet changes
Merchant billing notices
Campaign alerts
Admin alerts

Analytics and Reporting Layer

Supports dashboards for

Merchant GMV
Revenue generated
Clicks
Conversions
Commission paid
Mission performance
Ambassador ranking
Campaign ROI
Luup platform revenue
Payout liability
User growth

Section 606

C4 Level 3: Component Architecture

Backend component view.

Mermaid diagramComponent Architecture

Component responsibilities

User Service

Manages

User profiles
Account creation
Identity
Avatar
Display name
Contact details
Status
Account suspension

Tenant / Workspace Service

Manages the multi-tenant structure. This is critical.

Controls

Merchant workspaces
Brand workspaces
Ecosystem access
Tenant boundaries
User membership
Role assignment per workspace

This prevents one merchant from seeing or modifying another merchant's data.

Merchant Service

Merchant profile
Merchant settings
Billing status
Wallet funding status
Commission settings
Platform fee settings
Team members
Store connections

Ecosystem Service

Manages ecosystems such as LUUP One, Combat Market, FanFuel, future verticals, and white-label environments.

Each ecosystem can have

Theme
Branding
Missions
Products
Users
Ranks
Badges
Commission rules
Campaign logic

Mission Service

Mission creation
Mission editing
Mission status
Mission capacity
Mission deadlines
Reward rules
Mission visibility
Mission duplication
Mission analytics

Mission statuses

DraftLivePausedCompletedArchived

Submission Review Service

User submissions
Proof uploads
Approval
Rejection
Reviewer feedback
Submission history
Fraud flags
Bulk approvals

Submission statuses

SubmittedIn reviewApprovedRejectedRewarded

Product Service

Product catalogue
Product images
Product pricing
Product categories
Product tags
Featured products
Storefront products
Affiliate link generation

Referral Service

Referral codes
Referral links
Ambassador links
Customer referral links
Storefront links
Referral tree
Referral ownership
Referral hierarchy

Attribution Service

Determines who gets credit for a sale.

Click tracking
Signup tracking
Customer attribution
Order attribution
Repeat purchase attribution
First-click or last-click rules
Everflow data matching
Manual attribution corrections

Order Service

Stores commerce events.

Order creation
Order value
Customer ID
Merchant ID
Product line items
Refund status
Cancellation status
Attribution status
Commission status

Commission Engine

Calculates financial rewards.

Tier 1 commission
Tier 2 commission
Tier 3 commission
Tier 4 commission
Mission rewards
Product-specific commission
Merchant-specific rules
Refund clawbacks
Fee deductions
Pending and cleared states

Wallet Ledger Service

The financial source of truth.

User wallet
Merchant float wallet
Platform fee wallet
Ledger entries
Balance calculation
Pending funds
Cleared funds
Adjustments
Reversals

Payout Service

Payout requests
Minimum payout threshold
Payout approval
Payout method
Payout status
Payout failure
Payout retry
Withdrawal fees
Payout audit logs

Billing Service

Merchant subscriptions
Stripe billing
Plan changes
Card setup
Subscription renewal
Failed payments
Trial status
Wallet top-ups
Invoices

Admin Service

Handles internal platform operations. Allows Luup to:

View all merchants
View all users
Pause merchants
Suspend users
Adjust wallet transactions
Configure platform fees
Resolve disputes
Approve payouts
Manage white-label settings

Audit Log Service

Stores important actions.

Role changed
Mission created
Mission approved
Commission generated
Wallet adjusted
Payout requested
Payout approved
Merchant fee changed
Webhook received
Admin override performed

Notification Service

Sends system, merchant, user, and admin notifications.

File Upload Service

Controls secure uploads, private storage, signed URLs, file ownership, tenant-scoped access, and proof file retrieval.

Automation Orchestration Service

Coordinates appropriate n8n workflows for non-critical automations, internal workflows, enrichment, scheduled tasks, and operational processes.

AI Orchestration Service

Controls AI service calls through backend functions so API keys stay secure and AI outputs can be validated before affecting important system records.

Section 707

Data Model / ERD

This is one of the most important parts for the CTO. The data model should prove that LUUP One can support multiple merchants, multiple ecosystems, multiple brands, multiple users, multiple roles, referral hierarchies, attribution, commissions, wallets, payouts, and audit logs.

Coverage

The data model should support

Multiple merchants
Multiple ecosystems
Multiple brands
Multiple users
Multiple roles
Referral hierarchies
Attribution
Commissions
Wallets
Payouts
Audit logs

Mermaid diagramEntity Relationship Diagram

Do not include detailed table definitions in this section. The ERD and high-level entity relationship model are enough for this page.

Core entity groups

Identity and access

Users
Profiles
User roles
Merchant team members
Ecosystem memberships

Merchant and ecosystem structure

Merchants
Brands
Ecosystems
Products
Missions

Campaign participation

Mission submissions
Mission rewards
Badges
Leaderboards

Referral and attribution

Referral links
Clicks
Customers
Orders
Order items

Commission and wallet logic

Commission rules
Commissions
Wallets
Wallet transactions
Payout requests
Billing subscriptions

Governance and audit

Audit logs
Admin actions
Webhook events
Financial adjustments

CTO note

The CTO should validate whether the actual database reflects these relationships, especially merchant isolation, referral ownership, order attribution, commission traceability, wallet ledger entries, and audit logs.

Section 808

Security and Permissions Model

LUUP One should be designed around clear security principles. Authentication proves who the user is. Authorization controls what they can do. Tenant isolation controls what data they can access.

Authentication proves who the user is

Authorization controls what they can do

Tenant isolation controls what data they can access

Audit logs record important actions

Financial actions must be ledger-based

External webhooks must be verified

Sensitive files must be private

No sensitive logic should live only in the frontend

AI service calls must happen through backend-controlled functions

Automation workflows must not bypass security or financial controls

Frontend cannot enforce security

The frontend can hide buttons, but the backend must enforce the actual rules.

Row Level Security

Row Level Security should be enabled and tested in Supabase. If RLS is disabled, incomplete, or only partially implemented, tenant isolation must be considered a major risk.

Section 909

Authentication Model

The authentication layer should provide secure identity, session handling, verification, and recovery. In the assumed build stack, this should be handled by Supabase Auth.

Baseline

Minimum supported authentication

Email and password
Email verification
Password reset
Secure session management
Supabase Auth integration

Recommended

Recommended authentication

Google OAuth
Multi-factor authentication for admins
Multi-factor authentication for merchant owners
Session revocation
Device/session visibility
Strong password rules
Clear separation between staging and production users

Section 1010

Role Model

The permission model should support platform-level roles, merchant-level roles, and user-level roles. A user may have different permissions in different merchant workspaces or ecosystems.

Platform-level roles

Super Admin

Luup internal owner-level access.

Can

View all merchants
View all users
View all payouts
Configure platform fees
Manage white-label settings
Suspend merchants
Suspend users
Approve high-risk payouts
Create admin users
Access audit logs

Admin Operator

Luup internal ops role.

Can

View merchants
View users
Review submissions
Review payouts
Handle support
Flag fraud
View audit logs

Cannot

Change platform fees
Create super admins
Delete critical records
Change financial settings without approval

Finance Admin

Luup internal finance role.

Can

View merchant float balances
View payout requests
Approve payouts
Reject payouts
View wallet ledgers
Export finance reports

Cannot

Create missions
Change campaign settings
Change platform configuration

Merchant-level roles

Merchant Owner

Can

Manage merchant settings
Manage billing
Add card details
Top up wallet
Create missions
Approve submissions
Manage products
Invite team members
View reporting
Export data
Configure commission rules, if allowed

Merchant Admin

Can

Create missions
Edit missions
Approve submissions
Manage products
View ambassadors
View analytics
Invite limited team members

Cannot

Change billing
Change ownership
Change platform fees
Approve large payouts unless permitted

Campaign Manager

Can

Create and edit missions
View mission performance
Review submissions
Message participants

Cannot

Access billing
Access payout settings
Adjust wallets
Invite finance users

Reviewer

Can

View assigned submissions
Approve submissions
Reject submissions
Add reviewer feedback

Cannot

Create missions
Access billing
View full financial reports
Adjust rewards manually

Finance Viewer

Can

View invoices
View wallet top-ups
View commission liability
Export finance reports

Cannot

Approve submissions
Create missions
Change billing method
Approve payouts

User-level roles

Ambassador / Creator

Can

Join ecosystems
Complete profile
Join missions
Submit proof
Generate referral links
View own clicks, sales, and earnings
Request payouts
View own wallet ledger

Cannot

Access merchant dashboards
Approve submissions
Change commissions
View other users' earnings
Access another ecosystem unless joined

Customer Advocate

Similar to ambassador, but may have fewer advanced creator features.

Can

Refer friends
Access referral links
Earn customer rewards
View own earnings
Request payouts, if enabled

End Customer

Can

Purchase through referral links
Create an account, if needed
Join later as an advocate, if enabled

Cannot

Access dashboard
View commissions
Access private mission data

Section 1111

Permission Matrix

This matrix shows which roles can perform core platform actions. Use it as the basis for backend permission checks, not just frontend visibility rules.

Action	Super Admin	Admin Operator	Finance Admin	Merchant Owner	Merchant Admin	Campaign Manager	Reviewer	Ambassador
View all merchants	Yes	Yes	Limited	No	No	No	No	No
Create merchant	Yes	Yes	No	No	No	No	No	No
Suspend merchant	Yes	Limited	No	No	No	No	No	No
Manage billing	Yes	No	View only	Yes	No	No	No	No
Top up merchant wallet	Yes	No	Yes	Yes	No	No	No	No
Create mission	Yes	Yes	No	Yes	Yes	Yes	No	No
Edit mission	Yes	Yes	No	Yes	Yes	Yes	No	No
Approve submission	Yes	Yes	No	Yes	Yes	Yes	Yes	No
Reject submission	Yes	Yes	No	Yes	Yes	Yes	Yes	No
Join mission	No	No	No	No	No	No	No	Yes
Submit proof	No	No	No	No	No	No	No	Yes
Generate referral link	No	No	No	No	No	No	No	Yes
View own earnings	No	No	No	No	No	No	No	Yes
View all user earnings	Yes	Limited	Yes	Merchant only	Merchant only	No	No	No
Adjust wallet	Yes	No	Limited	No	No	No	No	No
Request payout	No	No	No	No	No	No	No	Yes
Approve payout	Yes	No	Yes	Optional	No	No	No	No
View audit logs	Yes	Yes	Finance only	Merchant only	No	No	No	No
Change platform fees	Yes	No	No	No	No	No	No	No
Manage team members	Yes	No	No	Yes	Limited	No	No	No

Section 1212

Tenant Isolation Model

Tenant isolation is one of the most important parts of LUUP One because multiple merchants, brands, ecosystems, users, campaigns, referrals, wallets, and payouts exist inside the same platform.

Boundary

Recommended tenant boundary

The recommended tenant boundary is merchant_id as the commercial workspace boundary.

Then use

brand_id for brands under a merchant
ecosystem_id for verticals or white-label environments
user_id for individual user ownership

Rule

Core rule

Every sensitive table should be scoped by at least one of these:

merchant_id
brand_id
ecosystem_id
user_id

Scope examples

Missions

Need merchant_id and ecosystem_id.

Products

Need merchant_id and brand_id.

Orders

Need merchant_id.

Commissions

Need merchant_id and earning_user_id.

Wallets

Need owner_type and owner_id.

Payouts

Need user_id and wallet_id.

Audit logs

Need actor_user_id and merchant_id where relevant.

Access control rules

Merchant data access

A merchant user can only access records where merchant_id matches one of their merchant_team_members records.

Ecosystem access

An ambassador can only access private ecosystem content where they have an active ecosystem_memberships record.

Wallet access

A user can only view wallet records where wallet.owner_type = user and wallet.owner_id = current_user.id.

A merchant can only view merchant float wallets where wallet.owner_type = merchant and wallet.owner_id = merchant_id they belong to.

Admin access

Admins can access cross-tenant data, but every action should be recorded in audit_logs.

Supabase Row Level Security validation

RLS should be enabled on sensitive tables
Policies should scope data by merchant_id, ecosystem_id, brand_id, or user_id
Users should not be able to access data by changing IDs in URLs or API calls
Service role keys must not be exposed in frontend code
Admin cross-tenant access should be performed through secure backend functions
RLS policies should be tested with real test users across different roles

Section 1313

Security Architecture Diagram

Every protected action should pass through authentication, role validation, tenant scope validation, permission validation, and audit logging.

Mermaid diagramSecurity Architecture

Every protected action should pass through

Authentication
Role validation
Tenant scope validation
Permission validation
Row Level Security where applicable
Audit logging

Source of truth

The frontend can improve usability by hiding unavailable actions, but it must not be the source of security truth.

Section 1414

Financial Security Model

Because LUUP One handles commissions, wallets, merchant float, payout requests, withdrawal fees, platform fees, refunds, and clawbacks, the financial model must be ledger-based.

Principle

Ledger-based wallet principle

The wallet should be ledger-based. Do not rely on a single editable balance field. Every financial event should create an immutable wallet transaction.

Mermaid diagramCommission to payout flow

Required protections

Users cannot edit commission values

Users cannot create their own wallet credits

Users cannot withdraw pending funds

Users cannot withdraw below the minimum threshold

Users cannot request duplicate payouts for the same funds

Refunds must reverse or claw back commissions

Admin wallet adjustments must be logged

Payout approval must be permission-controlled

Webhook events must be idempotent

n8n workflows must not bypass financial controls

AI-generated actions must not directly alter wallet, commission, payout, or ledger records without human or backend validation

Section 1515

Webhook Security Model

External systems should not be trusted blindly. Webhooks from Stripe, Everflow, Shopify, and PayPal must be verified, stored, processed once, and logged.

Mermaid diagramWebhook processing pipeline

Required webhook controls

Verify signatures

Store raw payloads

Use idempotency keys

Process each event once

Retry failed events

Log failures

Alert on repeated failures

Never trust client-side payment confirmation alone

Trigger n8n only after the backend has validated and stored the event

Keep financial updates inside controlled backend logic

Section 1616

File Upload Security Model

LUUP missions may require screenshots, links, UGC, and proof files. These files should be private, tenant-scoped, and validated before storage. In the assumed build stack, this should use Supabase Storage.

Allowed file types only

Maximum file size

Private Supabase Storage buckets

Signed URLs

Tenant-scoped file access

Virus or malware scanning where possible

No executable uploads

Upload ownership stored in database

Access checked before file download

File deletion or retention policy

Sensitive proof files

Mission proof files can contain sensitive user or merchant information, so file access must be controlled through backend permission checks and storage policies.

Section 1717

Data Protection Model

LUUP One may store personal data, referral data, payout data, mission data, uploaded files, and earning history. The platform should minimise unnecessary storage and protect sensitive data throughout the lifecycle.

Inventory

Personal data LUUP may store

Name
Email
Profile image
Country
Payment method references
Payout method references
Referral activity
Mission submissions
Wallet and earning history

Controls

Recommended controls

Encrypt data in transit
Encrypt data at rest
Hash sensitive identifiers where possible
Avoid storing unnecessary payment data
Use Stripe or payment providers for card data
Use private Supabase Storage buckets
Allow user data deletion where legally required
Keep audit logs for financial and compliance reasons
Create a clear data retention policy
Keep AI prompts and outputs out of sensitive records unless necessary
Avoid sending unnecessary personal or financial data to AI providers
Separate staging and production data

Section 1818

Admin and Audit Model

Every sensitive admin, financial, security, automation, AI, and operational action should be logged so Luup can reconstruct what happened during disputes, fraud reviews, payout reviews, and technical incidents.

Actions to log

Failed login

Role change

Merchant created

Merchant suspended

Mission created

Mission edited

Submission approved

Submission rejected

Commission created

Commission reversed

Wallet adjusted

Payout requested

Payout approved

Payout rejected

Payout completed

Merchant fee changed

Webhook received

Webhook failed

Refund processed

n8n workflow triggered

AI service called

AI-generated recommendation accepted

Admin override performed

Audit log should include

Actor user ID
Action
Entity type
Entity ID
Merchant scope
Old value, where needed
New value, where needed
Timestamp
IP hash
Metadata
Source system
Related webhook event, where relevant
Related automation workflow, where relevant

Section 1919

CTO Review Checklist

Use this checklist during the external CTO review. Each item should be validated against the actual LUUP One build, not just the design or prototype.

Architecture

9 items

Is the platform multi-tenant?To validate
Is tenant isolation enforced at backend/database level?To validate
Is the app one codebase for multiple ecosystems?To validate
Are white-label settings configurable?To validate
Can merchants self-onboard?To validate
Are integrations real or mocked?To validate
Is the Lovable frontend connected to a real Supabase backend?To validate
Is the codebase connected to GitHub?To validate
Can engineers maintain the codebase outside Lovable?To validate

Data

7 items

Is there a proper relational data model?To validate
Are commissions traceable to orders?To validate
Are wallet balances ledger-based?To validate
Are audit logs implemented?To validate
Are refunds and clawbacks handled?To validate
Is PostgreSQL being used as the database foundation?To validate
Are database relationships, constraints, and indexes appropriate?To validate

Security

8 items

Are permissions enforced server-side?To validate
Can merchants access only their own data?To validate
Is Supabase Row Level Security enabled and tested?To validate
Are webhook signatures verified?To validate
Are API keys stored securely?To validate
Are uploaded files private?To validate
Are payout actions logged?To validate
Are service role keys kept out of frontend code?To validate

Financial logic

7 items

Is the 4-tier commission model configurable?To validate
Are pending and cleared balances separate?To validate
Can users withdraw only cleared funds?To validate
Are failed payouts handled?To validate
Are duplicate payouts prevented?To validate
Are merchant float balances tracked?To validate
Is n8n prevented from bypassing financial controls?To validate

Automation and AI

6 items

Is n8n used only for appropriate non-critical workflows?To validate
Are n8n workflows logged and monitored?To validate
Are AI API calls made through backend functions?To validate
Are AI API keys hidden from the frontend?To validate
Is sensitive personal or financial data kept out of AI prompts where possible?To validate
Are AI outputs reviewed or validated before affecting important records?To validate

Section 2020

Recommended Architecture Pack Structure

For the external CTO, present the architecture in this order so the review starts with product truth, moves into system design, then validates data, flows, security, automation, AI usage, and roadmap.

01
Truth Table
Built, partially built, mocked, not built.
02
Build Architecture Assumption
Lovable, React, Vite, Supabase Auth, PostgreSQL, Supabase Storage, Edge Functions, GitHub, n8n, external services, and AI APIs.
03
System Context
Who uses LUUP One and what systems it connects to.
04
Container Architecture
Frontend, backend, database, storage, webhooks, commission engine, wallet ledger, n8n automation layer, AI orchestration layer.
05
Data Model / ERD
Core entities and relationships.
06
Key Flows
Merchant onboarding, mission creation, ambassador activation, attribution and commission, wallet and payout, refund and clawback.
07
Security and Permissions
Roles, tenant isolation, Row Level Security, backend permission checks, webhook security, file security, audit logs.
08
Automation and AI Controls
Where n8n and AI services are appropriate, where they are not appropriate, and what controls are required.
09
Technical Debt and Roadmap
What must be fixed before beta, before paid merchants, and before scale.

Section 2121

Final Assessment

The robustness of LUUP One does not come from AI-generated code alone. It comes from using standard technologies, source-code ownership, PostgreSQL as the database foundation, proper Row Level Security, secure backend-controlled business logic, scalable infrastructure options, and professional engineering review processes.

Conclusion

A Lovable and Supabase application that is connected to GitHub, reviewed using professional engineering tools, protected by Row Level Security, and deployed using accepted software engineering practices can legitimately be described as a robust and scalable modern web application architecture suitable for SaaS products, internal business systems, customer portals, CRM platforms, and AI-enabled business applications.

CTO validation warning

This is only true if the actual build avoids storing sensitive business logic in the frontend, enforces permissions at the database or backend layer, secures API keys, separates tenant data properly, and implements financial logic through auditable backend processes.

Section 2222

The Most Important CTO Question

Final question

Is LUUP One built as a real multi-tenant SaaS platform, or is it a high-fidelity prototype that needs a production-grade backend?

This architecture pack gives the review structure needed to answer that honestly and professionally.

Recommended next stepValidate the real build against this architecture, then produce a truth table showing what is built, partially built, mocked, or missing.

LUUP OneArchitecture Pack

What this pack covers

Core validation question

Expected technical stack

What the CTO should confirm

System Context

Container Architecture

Component Architecture

Code-Level Detail

LUUP One Platform

Platform users

Luup Admin Team

Merchant / Brand Team

Ambassador / Creator / Customer Advocate

End Customer

External systems

Stripe

PayPal

Bank Transfer Process

Everflow

Shopify / Commerce Store

Email / Notifications Provider

Supabase Storage

Analytics / Logging

n8n Automation Layer

AI Services

Lovable React / Vite Frontend

GitHub

Merchant Dashboard

Admin Dashboard

Supabase Edge Functions / Backend APIs

Supabase Auth

Supabase PostgreSQL

Supabase Storage

Webhook Processor

Commission Engine

Wallet Ledger Service

n8n Automation Layer

AI Orchestration Layer

Notification Service

Analytics and Reporting Layer

Component responsibilities

User Service

Tenant / Workspace Service

Merchant Service

Ecosystem Service

Mission Service

Submission Review Service

Product Service

Referral Service

Attribution Service

Order Service

Commission Engine

Wallet Ledger Service

Payout Service

Billing Service

Admin Service

Audit Log Service

Notification Service

File Upload Service

Automation Orchestration Service

AI Orchestration Service

The data model should support

Core entity groups

Identity and access

Merchant and ecosystem structure

Campaign participation

Referral and attribution

Commission and wallet logic

Governance and audit

Minimum supported authentication

Recommended authentication

Platform-level roles

Super Admin

Admin Operator

Finance Admin

Merchant-level roles

Merchant Owner

Merchant Admin

Campaign Manager

LUUP One
Architecture Pack